Headline
30,000 Korean Air Employee Records Stolen as Cl0p Leaks Data Online
Korean Air confirms a major data leak affecting 30,000 staff members after the Cl0p gang targeted a catering partner. Learn what data was stolen and the airline’s response to secure its data.
In a worrying turn of events for the aviation industry, Korean Air has confirmed that the personal details of roughly 30,000 current and former employees have been stolen. This news, shared on December 29, 2025, follows a similar security problem at South Korea’s Asiana Airlines earlier this month, where 10,000 staff records were compromised.
****How did the breach happen?****
Korea JoongAng Daily reports that the data was not taken directly from Korean Air’s main systems. Instead, the hackers targeted a company called KC&D Service (Korean Air Catering & Duty-Free).
This company used to be a division of Korean Air but was sold to a private investment group named Hahn & Company in 2020. Despite the sale, KC&D still handles in-flight meals and duty-free goods for the airline, and Korean Air still holds a 20% stake in the business.
“KC&D Service (KC&D)*, an in-flight meal and in-flight sales company that was spun off from our company in 2020 and operates as a separate entity, was recently attacked by an external hacker group. It is understood that during this process, the personal information (names, account numbers) of our employees stored on that company’s ERP server was leaked,” the notice reads.
Official breach notice from Korean Air (source: Korea JoongAng Daily)
The attackers, reportedly, broke into KC&D’s ERP server (the main system used to manage company resources), likely by exploiting a vulnerability in a popular business software called Oracle E-Business Suite (EBS).
This specific vulnerability, tracked as CVE-2025-61882, may have allowed hackers to bypass security checks and take control of the server without needing a username or password. The same vulnerability had previously allowed attackers to breach Envoy Air, the largest carrier operating under American Airlines.
****Who is Responsible?****
This suspicion arises because the infamous digital extortionist group known as the Cl0p gang has claimed responsibility for this data breach. Hackread.com’s recent reporting reveals that Cl0p, a Russian-speaking gang famous for targeting high-value organisations, has been exploiting this Oracle software flaw since early August.
Korean Air is just one of its many victims as Cl0p has used this same method to target organisations worldwide, including Envoy Air (an American Airlines subsidiary), Harvard University, the University of Pennsylvania, The Washington Post, and Logitech.
In this instance, the group has already started posting nearly 500 GB of stolen files on the dark web because the affected companies refused to pay a ransom.
Cl0p ransomware has leaked ALMOST 456 GB of the Korean Air data (Image credit: Hackread.com)
****What information was taken?****
The stolen data, reportedly, includes very sensitive details like employee names and bank account numbers stored in the company’s resource planning system. While this is a major concern for the staff, the airline has been quick to reassure the public that customer data, such as flight bookings or credit card details, was not affected in this specific incident.
Woo Kee-hong, the vice chairman of Korean Air, sent a personal message to his team explaining that the company is taking the matter “very seriously.”
“Korean Air takes this incident very seriously, especially since it involves employee data, even if it originated from a third-party vendor that was sold off. We are currently focusing all our efforts on identifying the full scope of the breach and who was affected.”
The airline has already finished emergency security updates and cut off digital links with KC&D to stop any more data from leaking. They have also reported the situation to the Korea Internet and Security Agency (KISA), and is now warning employees to be extremely careful about suspicious text messages or emails that might be part of a follow-up scam.
****South Korea and Recent Data Breaches****
South Korea has been the epicentre of large-scale data breaches and cyber attacks. Earlier in December 2025, Coupang, the country’s alternative shopping giant to Amazon, suffered a data breach in which all of its 33.7 million users had their data stolen. Days later, the company’s offices were raided, and its CEO, Park Dae-jun, had to resign.
In May 2025, South Korean telecommunications giant SK Telecom revealed a malware attack that remained hidden for nearly two years, leading to the leaking of 26.69 million IMSI units and 9.82 GB of USIM data.
Related news
Cl0p ransomware lists NHS UK as a victim days after The Washington Post confirms a major Oracle E-Business breach linked to CVE-2025-61882.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added five security flaws to its Known Exploited Vulnerabilities (KEV) Catalog, officially confirming a recently disclosed vulnerability impacting Oracle E-Business Suite (EBS) has been weaponized in real-world attacks. The security defect in question is CVE-2025-61884 (CVSS score: 7.5), which has been described as a
Every week, the cyber world reminds us that silence doesn’t mean safety. Attacks often begin quietly — one unpatched flaw, one overlooked credential, one backup left unencrypted. By the time alarms sound, the damage is done. This week’s edition looks at how attackers are changing the game — linking different flaws, working together across borders, and even turning trusted tools into weapons.
Oracle on Saturday issued a security alert warning of a fresh security flaw impacting its E-Business Suite that it said could allow unauthorized access to sensitive data. The vulnerability, tracked as CVE-2025-61884, carries a CVSS score of 7.5, indicating high severity. It affects versions from 12.2.3 through 12.2.14. "Easily exploitable vulnerability allows an unauthenticated attacker with
Dozens of organizations may have been impacted following the zero-day exploitation of a security flaw in Oracle's E-Business Suite (EBS) software since August 9, 2025, Google Threat Intelligence Group (GTIG) and Mandiant said in a new report released Thursday. "We're still assessing the scope of this incident, but we believe it affected dozens of organizations," John Hultquist, chief analyst of
Cyber threats are evolving faster than ever. Attackers now combine social engineering, AI-driven manipulation, and cloud exploitation to breach targets once considered secure. From communication platforms to connected devices, every system that enhances convenience also expands the attack surface. This edition of ThreatsDay Bulletin explores these converging risks and the safeguards that help
A cybercriminal group that used voice phishing attacks to siphon more than a billion records from Salesforce customers earlier this year has launched a website that threatens to publish data stolen from dozens of Fortune 500 firms if they refuse to pay a ransom. The group also claimed responsibility for a recent breach involving Discord user data, and for stealing terabytes of sensitive files from thousands of customers of the enterprise software maker Red Hat.
CrowdStrike on Monday said it's attributing the exploitation of a recently disclosed security flaw in Oracle E-Business Suite with moderate confidence to a threat actor it tracks as Graceful Spider (aka Cl0p), and that the first known exploitation occurred on August 9, 2025. The exploitation involves the exploitation of CVE-2025-61882 (CVSS score: 9.8), a critical vulnerability that facilitates
The cyber world never hits pause, and staying alert matters more than ever. Every week brings new tricks, smarter attacks, and fresh lessons from the field. This recap cuts through the noise to share what really matters—key trends, warning signs, and stories shaping today’s security landscape. Whether you’re defending systems or just keeping up, these highlights help you spot what’s coming
Oracle has released an emergency update to address a critical security flaw in its E-Business Suite that it said has been exploited in the recent wave of Cl0p data theft attacks. The vulnerability, tracked as CVE-2025-61882 (CVSS score: 9.8), concerns an unspecified bug that could allow an unauthenticated attacker with network access via HTTP to compromise and take control of the Oracle